Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write documentation on how to set up /etc/containers/policy.json #530

Closed
lubosmj opened this issue Jan 12, 2022 · 3 comments
Closed

Write documentation on how to set up /etc/containers/policy.json #530

lubosmj opened this issue Jan 12, 2022 · 3 comments
Assignees
@ipanova
Labels
Task

Comments

@lubosmj
Copy link
Member

lubosmj commented Jan 12, 2022
edited
Loading

Signed content is not possible to verify unless there are additional changes to the policy configuration made.

A user who consumes content from the Pulp Registry needs to update the policy (maybe) for each repository separately in order to let podman succeed with the pull operation, like so:

           "localhost:24817/my_precious": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
                    "signedIdentity": {
                        "type": "remapIdentity",
                        "prefix": "localhost:24817/my_precious",
                        "signedPrefix": "registry.redhat.io/ubi8/ubi-micro"
                    }
                }
            ],

This has to be properly documented to avoid possible confusion about invalid signatures.
@lubosmj lubosmj added the Task label Jan 12, 2022
@goosemania
Copy link
Member

Additional note: If user makes the base_path of a distribution the same as the repo name in the remote registry, then no configuration per repo will be needed and it could be just registry name remapping:

           "localhost:24817": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
                    "signedIdentity": {
                        "type": "remapIdentity",
                        "prefix": "localhost:24817",
                        "signedPrefix": "registry.redhat.io"
                    }
                }
            ],

@ipanova
Copy link
Member

ipanova commented Jan 12, 2022

I would not expand much in our docs on how to setup the policy file since in the specs it is outlined quite well. We can provide some basic example to get user started and for the rest point to the specs.

@goosemania
Copy link
Member

I would not expand much in our docs on how to setup the policy file since in the specs it is outlined quite well. We can provide some basic example to get user started and for the rest point to the specs.

I think it makes sense to provide specific examples for what will work with pulp use cases. As a user, I would get lost in terminology between docker, policy and pulp. E.g. A repo(?) name in registry is a base_path in pulp and if you make them the same, it will make your policy maintenance much lighter. My head has already exploded 🤯

@ipanova ipanova self-assigned this Feb 3, 2022
@ipanova ipanova mentioned this issue Mar 25, 2022
Merged
ipanova added a commit to ipanova/pulp_container that referenced this issue Mar 25, 2022
@ipanova
Added docs for client signature verification policy.
bb3a130 
closes pulp#530
ipanova added a commit to ipanova/pulp_container that referenced this issue Mar 25, 2022
@ipanova
Added docs for client signature verification policy.
99f6461 
closes pulp#530
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ipanova ipanova

Labels
Task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ipanova @lubosmj @goosemania